In recent years, multi-factor authentication for human users of computers has increased in popularity. Part of the impetus for multi-factor authentication is that single-factor authentication (e.g., based on a password, by itself) is vulnerable to attacks. For example, through use of malware (e.g., keylogging software), data breaches, and brute force attacks, this type of authentication is relatively easy to defeat by committed attackers. In an effort to achieve stronger security, multi-factor authentication involves two or more forms of authentication credentials of different types. For example, one form of authentication may be based on something the user knows (e.g., a password) while another form of authentication may be based on something the user has (e.g., a valid numerical code sent to the user's smartphone). In combination, these two forms of authentication may be used to restrict access to sensitive resources. The result is a level of authentication confidence higher than single-factor authentication can deliver.
Multi-factor authentication, however, has been uniquely designed for authentication of human users. No comparable or similarly effective techniques have been developed for authenticating software-based services themselves. Indeed, human-focused authentication techniques do not translate to the world of application-based and machine-based identities. Currently, when such services (e.g., network-based applications, virtual machines, container instances, etc.) engage in secure communications, they utilize an embedded privileged identity token or credential that was initially given to them at instantiation. This is a form of single-factor authentication, and one that is particularly vulnerable to attacks. If attackers are able to steal the embedded privileged identity token or credential, they can impersonate the software-based service and potentially cause widespread network compromise. Further, in addition to malicious attacks, existing forms of software-based service authentication are vulnerable to oversights and accidents. For example, if the code for a software-based service is leaked, or made available publicly (e.g., via GitHub™, Google Developers™, etc.), the embedded privileges or credentials may become known to unauthorized users.
In view of these and other deficiencies in existing techniques, technological solutions are needed for deploying secure and efficient forms of multi-factor authentication for software-based services (e.g., applications, application-based machines, etc.). According to such techniques, even if embedded privileges or credentials from an application or virtual instance or stolen or leaked, they will be powerless to perform a successful authentication. Instead, the application or virtual instance should be required to successfully undergo multi-factor authentication in a manner suitable for a software-based service environment. As described below, the techniques for multi-factor authentication should advantageously be designed for a software-based service environment, should be efficient (e.g., with minimal or no service interruption or downtime), should be flexible (e.g., capable of changing as network parameters and compositions change), and should be scalable (e.g., to support growing or shrinking numbers of applications or instances).